The following 10 quick wins, will not prevent you to be full 100% hack proof, but I promiss you, if you are able to implement those 10 things, then a hacker will have much more trouble to become a Domain Admin user from a simple User, to deploy it’s Ransomware or other malicous intent activity.
- Remove the count of 10 account machines than any user can create
- Disable LLMNR , NBT-NS and WPAD on all the devices
- LAPS deployed on all end-user devices and each server should have an unique local Administrator account
- RunAsPPL on all machines except the Domain Controller
- SMB Signing enforced on all devices
- LDAP signing and Channel Binding on the windows LDAD servers
- Weak Windows passwords, worst will be if the account has a SPN
- Patching, patching patch your servers, and not just once a year, but every month.
- Add all priviledged account (including Domain Admin accounts) add the users to Protected User group (be carefull it has impacts as it disables SSO and forces Kerberos authentication instead of NTLM)
- If ADCS, make sure to be secure on all the attacks (ESC1-8) and to have enabled all logging necessary.
How to check ?
Easiest way, use the open source PingCastle
Best is to run it frequently on a regular basis to check if something is getting better or worse.0